aspose file tools*
The moose likes Security and the fly likes Java security, OS X and C Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java security, OS X and C" Watch "Java security, OS X and C" New topic
Author

Java security, OS X and C

Ted North
Ranch Hand

Joined: Jan 02, 2012
Posts: 192
    
    1

David Svoboda wrote:Thanks for the welcome, folks. It should be a fun week.


Hello all and especially the authors,

This book seems very interesting and very relevant in light of all the vulnerabilities with Java and OS-X, will the book address any of these issues? This link describes what I am referring to. It is an article on ZDNet describing Java 7 OS-X Vulnerabilities

Are java security issues mainly with code jumping out of the 'security manager' or are there other serious security concerns to be aware of?

Do you think it will take years to find all of the bugs in Java that create vulnerabilities similar to C? This is because of course since the C programming language is notorious for its buffer overflows.

Thanks for reading this enormous post of words in your sure to be busy days. I am glad the book is only three-hundred something pages so I can do other things with my tiny life.

Respectfully,

Ted North
David Svoboda
Author
Greenhorn

Joined: Oct 21, 2013
Posts: 13
    
    5

Hi, Ted.

This book seems very interesting and very relevant in light of all the vulnerabilities with Java and OS-X, will the book address any of these issues? This link describes what I am referring to. It is an article on ZDNet describing Java 7 OS-X Vulnerabilities

Are java security issues mainly with code jumping out of the 'security manager' or are there other serious security concerns to be aware of?


You will want to look at guideline 18 in the new book, entitled "Do not expose methods that use reduced-security checks to untrusted code". It describes why malicious code was able to jump out of the security sandbox. There were a large family of vulnerabilities of this form discovered in the last year. All of the "critical" Java vulnerabilities you have read lately were caused by malicious code jumping out of a sandbox.

There are many other security concerns, and they are covered by the rest of the book. Some of them contributed to the recent exploits (an exploit can and often does utilize multiple vulnerabilities).

Do you think it will take years to find all of the bugs in Java that create vulnerabilities similar to C? This is because of course since the C programming language is notorious for its buffer overflows.


It will take time, but the problem is different in Java than C. The 'severe' Java vulnerabilities came mostly from the core library, and that is Oracle's responsibility...they have a big cleanup task to do. While you yourself can build vulnerable code we haven't seen much vulnerable code being exploited that is *not* part of core Java. Contrast this to C where anyone can build code with buffer overflows (or other problems). To summarize, cleaning up C is a big task for every C programmer, cleaning up Java is a big task for Oracle.

[Java Coding Guidelines] and [The CERT Oracle Secure Coding Standard for Java ] are from the [CERT Secure Coding Initiative]
Ted North
Ranch Hand

Joined: Jan 02, 2012
Posts: 192
    
    1



Dave,

Wow, thank-you for the awesome response. I am going to have to find some time to read this book. Also, that is very interesting that all the problems are in the classes that come with the jdk and not written by java programmers.

Thank-you again for the response. This is cool. I hope the random matching tool picks my post and I get the free book!

Happy Coding,

Ted
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Java security, OS X and C